<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.4.0">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">



<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.2/css/all.min.css">
  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/animate.css@3.1.1/animate.min.css">

<script class="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"littlefxc.github.io","root":"/","images":"/images","scheme":"Mist","version":"8.2.2","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12},"copycode":false,"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"prism":false,"i18n":{"placeholder":"搜索...","empty":"没有找到任何搜索结果：${query}","hits_time":"找到 ${hits} 个搜索结果（用时 ${time} 毫秒）","hits":"找到 ${hits} 个搜索结果"},"path":"/search.xml","localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false}};
  </script>
<meta name="description" content="logstash基础语法与使用1234567891011121314151617181920212223242526272829303132333435363738## 解压安装tar -zxvf logstash-6.6.0.tar.gz -C &#x2F;usr&#x2F;local&#x2F;## conf下配置文件说明：# logstash配置文件：&#x2F;config&#x2F;logstash.yml# JVM参数文件：&#x2F;conf">
<meta property="og:type" content="article">
<meta property="og:title" content="logstash基础语法与使用">
<meta property="og:url" content="http://littlefxc.github.io/2021/04/20/logstash%E5%9F%BA%E7%A1%80%E8%AF%AD%E6%B3%95%E4%B8%8E%E4%BD%BF%E7%94%A8/index.html">
<meta property="og:site_name" content="一年春又来">
<meta property="og:description" content="logstash基础语法与使用1234567891011121314151617181920212223242526272829303132333435363738## 解压安装tar -zxvf logstash-6.6.0.tar.gz -C &#x2F;usr&#x2F;local&#x2F;## conf下配置文件说明：# logstash配置文件：&#x2F;config&#x2F;logstash.yml# JVM参数文件：&#x2F;conf">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2021-04-20T14:21:10.000Z">
<meta property="article:modified_time" content="2021-04-20T14:27:50.854Z">
<meta property="article:author" content="一年春又来">
<meta property="article:tag" content="elk">
<meta property="article:tag" content="logstash">
<meta name="twitter:card" content="summary">


<link rel="canonical" href="http://littlefxc.github.io/2021/04/20/logstash%E5%9F%BA%E7%A1%80%E8%AF%AD%E6%B3%95%E4%B8%8E%E4%BD%BF%E7%94%A8/">


<script class="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>
<title>logstash基础语法与使用 | 一年春又来</title>
  




  <noscript>
  <style>
  body { margin-top: 2rem; }

  .use-motion .menu-item,
  .use-motion .sidebar,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header {
    visibility: visible;
  }

  .use-motion .header,
  .use-motion .site-brand-container .toggle,
  .use-motion .footer { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle,
  .use-motion .custom-logo-image {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line {
    transform: scaleX(1);
  }

  .search-pop-overlay, .sidebar-nav { display: none; }
  .sidebar-panel { display: block; }
  </style>
</noscript>

<link rel="alternate" href="/atom.xml" title="一年春又来" type="application/atom+xml">
</head>

<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
  <div class="headband"></div>

  <main class="main">
    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏" role="button">
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <i class="logo-line"></i>
      <h1 class="site-title">一年春又来</h1>
      <i class="logo-line"></i>
    </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>



<nav class="site-nav">
  <ul class="main-menu menu">
        <li class="menu-item menu-item-home"><a href="/" rel="section"><i class="home                          //首页 fa-fw"></i>首页</a></li>
        <li class="menu-item menu-item-archives"><a href="/archives/" rel="section"><i class="archive          //归档 fa-fw"></i>归档</a></li>
        <li class="menu-item menu-item-categories"><a href="/categories/" rel="section"><i class="th           //分类 fa-fw"></i>分类</a></li>
        <li class="menu-item menu-item-tags"><a href="/tags/" rel="section"><i class="tags                     //标签 fa-fw"></i>标签</a></li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup"><div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off" maxlength="80"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close" role="button">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div class="search-result-container no-result">
  <div class="search-result-icon">
    <i class="fa fa-spinner fa-pulse fa-5x"></i>
  </div>
</div>

    </div>
  </div>

</div>
        
  
  <div class="toggle sidebar-toggle" role="button">
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
  </div>

  <aside class="sidebar">

    <div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
      <ul class="sidebar-nav">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <div class="sidebar-panel-container">
        <!--noindex-->
        <div class="post-toc-wrap sidebar-panel">
            <div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#logstash%E5%9F%BA%E7%A1%80%E8%AF%AD%E6%B3%95%E4%B8%8E%E4%BD%BF%E7%94%A8"><span class="nav-text">logstash基础语法与使用</span></a></li></ol></div>
        </div>
        <!--/noindex-->

        <div class="site-overview-wrap sidebar-panel">
          <div class="site-author site-overview-item animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">一年春又来</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap site-overview-item animated">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">234</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">38</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">125</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>



        </div>
      </div>
    </div>
  </aside>
  <div class="sidebar-dimmer"></div>


    </header>

    
  <div class="back-to-top" role="button">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>

<noscript>
  <div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>


    <div class="main-inner post posts-expand">


  


<div class="post-block">
  
  

  <article itemscope itemtype="http://schema.org/Article" class="post-content" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="http://littlefxc.github.io/2021/04/20/logstash%E5%9F%BA%E7%A1%80%E8%AF%AD%E6%B3%95%E4%B8%8E%E4%BD%BF%E7%94%A8/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="一年春又来">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="一年春又来">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          logstash基础语法与使用
        </h1>

        <div class="post-meta-container">
          <div class="post-meta">
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-calendar"></i>
      </span>
      <span class="post-meta-item-text">发表于</span>
      

      <time title="创建时间：2021-04-20 22:21:10 / 修改时间：22:27:50" itemprop="dateCreated datePublished" datetime="2021-04-20T22:21:10+08:00">2021-04-20</time>
    </span>

  
</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">
        <h1 id="logstash基础语法与使用"><a href="#logstash基础语法与使用" class="headerlink" title="logstash基础语法与使用"></a>logstash基础语法与使用</h1><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">## 解压安装</span></span><br><span class="line">tar -zxvf logstash-6.6.0.tar.gz -C /usr/<span class="built_in">local</span>/</span><br><span class="line"></span><br><span class="line"><span class="comment">## conf下配置文件说明：</span></span><br><span class="line"><span class="comment"># logstash配置文件：/config/logstash.yml</span></span><br><span class="line"><span class="comment"># JVM参数文件：/config/jvm.options</span></span><br><span class="line"><span class="comment"># 日志格式配置文件：log4j2.properties</span></span><br><span class="line"><span class="comment"># 制作Linux服务参数：/config/startup.options</span></span><br><span class="line"></span><br><span class="line"><span class="comment">## 配置文件说明：</span></span><br><span class="line">vim /usr/<span class="built_in">local</span>/logstash-6.6.0/config/logstash.yml</span><br><span class="line"></span><br><span class="line">--path.config 或 –f ：logstash启动时使用的配置文件</span><br><span class="line">--configtest 或 –t：测试 Logstash 读取到的配置文件语法是否能正常解析</span><br><span class="line">--<span class="built_in">log</span>或-l：日志输出存储位置</span><br><span class="line">--pipeline.workers 或 –w：运行 filter 和 output 的 pipeline 线程数量。默认是 CPU 核数。</span><br><span class="line">--pipeline.batch.size 或 –b：每个 Logstash pipeline 线程，在执行具体的 filter 和 output 函数之前，最多能累积的日志条数。</span><br><span class="line">--pipeline.batch.delay 或 –u：每个 Logstash pipeline 线程，在打包批量日志的时候，最多等待几毫秒。</span><br><span class="line">--verbose：输出调试日志</span><br><span class="line">--debug：输出更多的调试日志</span><br><span class="line"></span><br><span class="line"><span class="comment">## 虚拟机配置</span></span><br><span class="line">vim /usr/<span class="built_in">local</span>/logstash-6.6.0/config/jvm.options</span><br><span class="line"></span><br><span class="line"><span class="comment">## 启动配置 比如启动时的java位置、LS的home等</span></span><br><span class="line">vim /usr/<span class="built_in">local</span>/logstash-6.6.0/config/startup.options</span><br><span class="line"></span><br><span class="line"><span class="comment">## 数据收集目录：/usr/local/logstash-6.6.0/data</span></span><br><span class="line"><span class="comment">## 插件目录：/usr/local/logstash-6.6.0/vendor/bundle/jruby/1.9/gems</span></span><br><span class="line"><span class="comment">## 查看插件命令：</span></span><br><span class="line">/usr/<span class="built_in">local</span>/logstash-6.6.0/bin/logstash-plugin list</span><br><span class="line"><span class="comment">## 更新插件命令：</span></span><br><span class="line">/usr/<span class="built_in">local</span>/logstash-6.6.0/bin/logstash-plugin update logstash-xxxx-xxxxx</span><br><span class="line"><span class="comment">## 安装插件命令：</span></span><br><span class="line">/usr/<span class="built_in">local</span>/logstash-6.6.0/bin/logstash-plugin install logstash-xxxx-xxxxx</span><br><span class="line"><span class="comment">## 插件地址： https://github.com/logstash-plugins</span></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p><strong>logstash语法与基本使用：</strong></p>
<ol>
<li><p>Logstash设计了自己的DSL包括有区域，注释，数据类型(布尔值，字符串，数值，数组，哈希)，条件判断字段引用等。</p>
</li>
<li><p>Logstash用{}来定义区域。区域内可以包括插件区域定义，你可以在一个区域内定义多个插件。插件区域内则可以定义键值对设置。</p>
</li>
<li><p>格式、语法、使用方式：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"># 注释.</span><br><span class="line">input &#123;</span><br><span class="line">  ...</span><br><span class="line">&#125;</span><br><span class="line"> </span><br><span class="line">filter &#123;</span><br><span class="line">  ...</span><br><span class="line">&#125;</span><br><span class="line"> </span><br><span class="line">output &#123;</span><br><span class="line">  ...</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p><strong>两个input设置：</strong></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">input &#123;</span><br><span class="line">  file &#123;</span><br><span class="line">    path &#x3D;&gt; &quot;&#x2F;var&#x2F;log&#x2F;messages&quot;</span><br><span class="line">    type &#x3D;&gt; &quot;syslog&quot;</span><br><span class="line">  &#125;</span><br><span class="line">  file &#123;</span><br><span class="line">    path &#x3D;&gt; &quot;&#x2F;var&#x2F;log&#x2F;apache&#x2F;access.log&quot;</span><br><span class="line">    type &#x3D;&gt; &quot;apache&quot;</span><br><span class="line">  &#125;</span><br><span class="line">&#125;                                                           </span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line">## 数据类型：</span><br><span class="line">## bool类型</span><br><span class="line">debug &#x3D;&gt; true</span><br><span class="line">## string类型</span><br><span class="line">host &#x3D;&gt; &quot;hostname&quot;</span><br><span class="line">## number类型</span><br><span class="line">port &#x3D;&gt; 6789</span><br><span class="line">## array or list类型</span><br><span class="line">path &#x3D;&gt; [&quot;&#x2F;var&#x2F;log&#x2F;message&quot;,&quot;&#x2F;var&#x2F;log&#x2F;*.log&quot;]</span><br><span class="line">## hash类型</span><br><span class="line">match &#x3D;&gt; &#123;</span><br><span class="line">    &quot;field1&quot; &#x3D;&gt; &quot;value1&quot;</span><br><span class="line">    &quot;field2&quot; &#x3D;&gt; &quot;value2&quot;</span><br><span class="line">&#125;</span><br><span class="line">## codec类型</span><br><span class="line">codec &#x3D;&gt; &quot;json&quot;</span><br><span class="line"></span><br><span class="line">##字段引用方式：</span><br><span class="line">&#123;</span><br><span class="line">    &quot;agent&quot;:  &quot;Mozilla&#x2F;5.0  (compatible;  MSIE  9.0)&quot;,</span><br><span class="line">    &quot;ip&quot;:  &quot;192.168.24.44&quot;,</span><br><span class="line">    &quot;request&quot;:  &quot;&#x2F;index.html&quot;</span><br><span class="line">    &quot;response&quot;:  &#123;</span><br><span class="line">        &quot;status&quot;:  200,</span><br><span class="line">        &quot;bytes&quot;:  52353</span><br><span class="line">    &#125;,</span><br><span class="line">    &quot;ua&quot;:  &#123;</span><br><span class="line">        &quot;os&quot;:  &quot;Windows  7&quot;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">##获取字段值：</span><br><span class="line">[response][status]</span><br><span class="line">[ua][os]                                       </span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">## 条件判断condition：</span><br><span class="line">if EXPRESSION &#123;</span><br><span class="line">  ...</span><br><span class="line">&#125; else if EXPRESSION &#123;</span><br><span class="line">  ...</span><br><span class="line">&#125; else &#123;</span><br><span class="line">  ...</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">&#x3D;&#x3D;(等于), !&#x3D;(不等于), &lt;(小于), &gt;(大于), &lt;&#x3D;(小于等于), &gt;&#x3D;(大于等于), &#x3D;~(匹配正则), !~（不匹配正则）</span><br><span class="line">in(包含), not in(不包含), and(与), or(或), nand(非与), xor(非或)</span><br><span class="line">()(复合表达式), !()(对复合表达式结果取反)</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">## 使用环境变量（缺失报错）:</span><br><span class="line">input &#123; </span><br><span class="line">	tcp &#123; </span><br><span class="line">		port &#x3D;&gt; &quot;$&#123;TCP_PORT&#125;&quot; </span><br><span class="line">	&#125; </span><br><span class="line">&#125;</span><br><span class="line">## 使用环境变量（缺失使用默认值）：</span><br><span class="line">input &#123; </span><br><span class="line">	tcp &#123; </span><br><span class="line">		port &#x3D;&gt; &quot;$&#123;TCP_PORT:54321&#125;&quot; </span><br><span class="line">	&#125; </span><br><span class="line">&#125;                                            </span><br></pre></td></tr></table></figure></li>
<li><p>logstash例子：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">## input 从标准输入流：</span><br><span class="line">input &#123; stdin &#123; &#125; &#125;</span><br><span class="line"></span><br><span class="line">## 输入数据之后 如何进行处理：</span><br><span class="line">filter &#123;</span><br><span class="line">  ## grok：解析元数据插件,这里从input输入进来的所有数据默认都会存放到 &quot;message&quot; 字段中</span><br><span class="line">  ## grok提供很多正则表达式，地址为：http:&#x2F;&#x2F;grokdebug.herokuapp.com&#x2F;patterns</span><br><span class="line">  ## 比如：%&#123;COMBINEDAPACHELOG&#125; 表示其中一种正则表达式 Apache的表达式</span><br><span class="line">  grok &#123;</span><br><span class="line">    match &#x3D;&gt; &#123; &quot;message&quot; &#x3D;&gt; &quot;%&#123;COMBINEDAPACHELOG&#125;&quot; &#125;</span><br><span class="line">  &#125;</span><br><span class="line">  ## date：日期格式化</span><br><span class="line">  date &#123;</span><br><span class="line">    match &#x3D;&gt; [ &quot;timestamp&quot; , &quot;dd&#x2F;MMM&#x2F;yyyy:HH:mm:ss Z&quot; ]</span><br><span class="line">  &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">## output 从标准输出流：</span><br><span class="line">output &#123;</span><br><span class="line">  elasticsearch &#123; hosts &#x3D;&gt; [&quot;192.168.11.35:9200&quot;] &#125;</span><br><span class="line">  stdout &#123; codec &#x3D;&gt; rubydebug &#125;</span><br><span class="line">&#125;                         </span><br></pre></td></tr></table></figure></li>
<li><p>file插件使用：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">## file插件</span><br><span class="line">input &#123;</span><br><span class="line">    file &#123;</span><br><span class="line">        path &#x3D;&gt; [&quot;&#x2F;var&#x2F;log&#x2F;*.log&quot;, &quot;&#x2F;var&#x2F;log&#x2F;message&quot;]</span><br><span class="line">        type &#x3D;&gt; &quot;system&quot;</span><br><span class="line">        start_position &#x3D;&gt; &quot;beginning&quot;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">## 其他参数：</span><br><span class="line">discover_interval ## 表示每隔多久检测一下文件，默认15秒</span><br><span class="line">exclude ## 表示排除那些文件</span><br><span class="line">close_older ## 文件超过多长时间没有更新，就关闭监听 默认3600s</span><br><span class="line">ignore_older ## 每次检查文件列表 如果有一个文件 最后修改时间超过这个值 那么就忽略文件 86400s</span><br><span class="line">sincedb_path ## sincedb保存文件的位置，默认存在home下（&#x2F;dev&#x2F;null）</span><br><span class="line">sincedb_write_interval ## 每隔多久去记录一次 默认15秒</span><br><span class="line">stat_interval ## 每隔多久查询一次文件状态 默认1秒</span><br><span class="line">start_position ## 从头开始读取或者从结尾开始读取</span><br></pre></td></tr></table></figure></li>
</ol>

    </div>

    
    
    

    <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/elk/" rel="tag"># elk</a>
              <a href="/tags/logstash/" rel="tag"># logstash</a>
          </div>

        

          <div class="post-nav">
            <div class="post-nav-item">
                <a href="/2021/04/08/Flink%E6%A0%B8%E5%BF%83%E6%A6%82%E5%BF%B5/" rel="prev" title="Flink核心概念">
                  <i class="fa fa-chevron-left"></i> Flink核心概念
                </a>
            </div>
            <div class="post-nav-item">
                <a href="/2021/04/25/Java%E5%A4%9A%E7%BA%BF%E7%A8%8BJUC%E9%94%81%E4%B9%8B%E5%85%AC%E5%B9%B3%E9%94%81/" rel="next" title="Java多线程JUC锁之公平锁">
                  Java多线程JUC锁之公平锁 <i class="fa fa-chevron-right"></i>
                </a>
            </div>
          </div>
    </footer>
  </article>
</div>







<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      const activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      const commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>
</div>
  </main>

  <footer class="footer">
    <div class="footer-inner">


<div class="copyright">
  &copy; 
  <span itemprop="copyrightYear">2022</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">一年春又来</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.js.org/mist/" class="theme-link" rel="noopener" target="_blank">NexT.Mist</a> 强力驱动
  </div>

    </div>
  </footer>

  
  <script src="https://cdn.jsdelivr.net/npm/animejs@3.2.1/lib/anime.min.js"></script>
<script src="/js/utils.js"></script><script src="/js/motion.js"></script><script src="/js/schemes/muse.js"></script><script src="/js/next-boot.js"></script>

  
<script src="/js/local-search.js"></script>






  





</body>
</html>
